This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author symphorien
Recipients symphorien
Date 2016-12-31.19:00:29
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
The tkinter.tix module looks for a Tix installation in the directory specified by the TIX_LIBRARY environment variable, but blindly trusts that it is a path in the filesystem. This enables a shell injection :

TIX_LIBRARY='/dev/null}; exec gsimplecal;' python2 -c "from Tix import Tk; Tk()"


TIX_LIBRARY='/dev/null}; exec gsimplecal;' python3 -c "from tkinter.tix import Tk; Tk()"

Python execs gsimplecal, waits on its completion and then raises a tkinter.TclError.

The offending code is here :
Date User Action Args
2016-12-31 19:00:30symphoriensetrecipients: + symphorien
2016-12-31 19:00:30symphoriensetmessageid: <>
2016-12-31 19:00:30symphorienlinkissue29125 messages
2016-12-31 19:00:29symphoriencreate